Security researchers have disclosed multiple high-severity flaws dubbed ‘Leaky Vessels’ affecting core container infrastructure components including Docker and runC. If successfully exploited, these flaws could enable attackers to break out of containers and access sensitive data and systems.
Discovered by Snyk’s Security Labs team, the four vulnerabilities were responsibly disclosed to vendors in December 2023. Now that patches have been released, details have been made public to raise awareness. All organizations using container technologies should urgently update to mitigate potential attacks.
Impacts Docker, runc and BuildKit
The most severe issue is CVE-2024-21626, a high-risk vulnerability in runc, a popular CLI tool for running containers on Linux. By carefully controlling command order, an attacker could leverage this flaw to escape the container and gain unauthorized access to the underlying host OS.
Snyk’s investigation also uncovered three additional high-severity flaws in Docker’s BuildKit component used for building container images:
- CVE-2024-23651 – A race condition enabling container escapes from the BuildKit mount cache.
- CVE-2024-23653 – A privilege check bypass in BuildKit's gRPC server allows container breakouts.
- CVE-2024-23652 – A flaw permitting arbitrary file deletion during container build teardown.
While exploitation requires precision, the prevalence of the affected software makes these issues highly dangerous. Attackers could potentially access any sensitive data on compromised hosts or use them as a launch point for additional attacks.
Updates Released for Docker, Kubernetes and More
To mitigate these risks, users of container technologies should update their systems urgently:
- Docker has released updated versions of buildkit, moby and runC.
- Kubernetes and other orchestrators should be updated to use runc 1.1.12+.
- Container build tools in CI/CD pipelines and on developer machines should also be patched.
Snyk has also released open source tools to help identify potential exploitation attempts, including:
- A runtime detector using eBPF hooks to flag suspicious container operations.
- A static analyzer tool to scan Dockerfiles for commands associated with the flaws.
However, these tools do not provide protection against attacks. Updating to patched versions of container software is critical.
Advisory from Vendors
Docker, in an independent advisory, said the vulnerabilities can only be exploited if a user actively engages with malicious content by incorporating it into the build process or running a container from a rogue image.
"Potential impacts include unauthorized access to the host filesystem, compromising the integrity of the build cache, and, in the case of CVE-2024-21626, a scenario that could lead to full container escape," Docker said.
Amazon Web Services (AWS) and Google Cloud have also released alerts of their own, urging customers to take appropriate action as and where necessary.
No Evidence Yet of Active Exploitation
So far, the Snyk team says they have not found any proof that these flaws have been exploited in the wild. However, due to their subtle nature, attacks abusing them may be difficult to detect.
It is therefore crucial that anyone using container technologies updates their infrastructure and properly secures their deployments. Containers can provide major benefits, but also introduce additional risks if not managed properly.
This incident highlights that core container components remain a prime target. The responsible disclosure by Snyk shows the importance of collaboration between vendors and researchers to improve security.
However, the prevalence of critical vulnerabilities in foundational tools indicates there is still work to be done. Anyone using container technologies should ensure they keep completely up-to-date and have strong controls in place to detect anomalies and limit damage from potential attacks.